b" Review of the Department\xe2\x80\x99s Process for Granting Access to\n          the National Student Loan Data System\n\n\n\n\n                        FINAL INSPECTION REPORT\n\n\n\n\n                                 ED-OIG/I13H0006\n                                    July 2008\n\n\n\n\nOur mission is to promote the                      U.S Department of Education\nefficiency, effectiveness, and                     Office of Inspector General\nintegrity of the Department's                      Washington, DC\nprograms and operations.\n\x0c    Statements that managerial practices need improvements, as well as other\n  conclusions and recommendations in this report, represent the opinions of the\n Office of Inspector General. Determinations of corrective action to be taken will\n          be made by the appropriate Department of Education officials.\n\n\n   In accordance with the Freedom of Information Act (5 U.S.C. \xc2\xa7 552), reports\nissued by the Office of Inspector General are available to members of the press and\n     general public to the extent information contained therein is not subject to\n                               exemptions in the Act.\n\x0c                                   UNITED STATES DEPARTMENT OF EDUCATION\n                                                        OFFICE OF INSPECTOR GENERAL\n\n                                                                                                  Evaluation and Inspection Services\n\n\n\n                                                                                      July 24, 2008\n\nMemorandum\nTO:                  Lawrence A. Warder\n                     Acting Chief Operating Officer\n                     Federal Student Aid\n\nFROM:                Wanda A. Scott /s/\n                     Assistant Inspector General\n                     Evaluation, Inspection, and Management Services\n\nSUBJECT:             Final Inspection Report\n                     Review of the Department\xe2\x80\x99s Process for Granting Access to the National Student\n                     Loan Data System (Control Number ED-OIG/I13H0006)\n\nAttached is the final inspection report of our Review of the Department\xe2\x80\x99s Process for Granting\nAccess to the National Student Loan Data System (NSLDS). We received your comments to our\ndraft report on May 28, 2008. A copy of your response to the draft report in its entirety is\nattached.\n\nWe also received your draft corrective action plan (CAP) with your response. Corrective actions\nproposed (resolution phase) and implemented (closure phase) will be monitored and tracked\nthrough the Department's Audit Accountability and Resolution Tracking System (AARTS).\n\nIn accordance with the Inspector General Act of 1978, as amended, the Office of Inspector\nGeneral is required to report to Congress twice a year on the reports that remain unresolved after\nsix months from the date of issuance.\n\nIn accordance with the Freedom of Information Act (5 U.S.C. \xc2\xa7552), reports issued by the Office\nof Inspector General are available to members of the press and general public to the extent\ninformation contained therein is not subject to exemptions in the Act.\n\nWe appreciate the cooperation given us during this review. If you or your staff have any\nquestions, please contact W. Christian Vierling, Director, Evaluation and Inspection Services at\n202-245-6964.\n\nEnclosure\n\n\n\n\n The Department of Education's mission is to promote student achievement and preparation for global competitiveness by fostering educational\n                                                   excellence and ensuring equal access.\n\x0c                                            TABLE OF CONTENTS\n\n\nEXECUTIVE SUMMARY....................................................................................................... 1\nBACKGROUND....................................................................................................................... 3\nINSPECTION RESULTS ........................................................................................................ 5\n     FINDING 1A \xe2\x80\x93 FSA has Weak Controls over the Process of Assigning Lender\n                  Identification Numbers.......................................................................... 5\n                  \xc2\xb7 FSA has not developed adequate procedures to oversee the\n                     guaranty agencies\xe2\x80\x99 Lender Identification Number applications\n                     on behalf of lenders............................................................................ 5\n                  \xc2\xb7 FSA has not developed effective controls for assigning Lender\n                     Identification Numbers....................................................................... 6\n                  \xc2\xb7 FSA does not verify agreements......................................................... 6\n                  \xc2\xb7 Impact of FSA\xe2\x80\x99s weak controls over the process of assigning\n                     Lender Identification Numbers........................................................... 7\n                  \xc2\xb7 Recommendations.............................................................................. 7\n     FINDING 1B \xe2\x80\x93 FSA\xe2\x80\x99s Process for Granting NSLDS IDs, Passwords, and\n                  Access to External Users is Weak.......................................................... 8\n                  \xc2\xb7 FSA does not provide adequate oversight of external users................. 8\n                  \xc2\xb7 FSA has not established equivalent security requirements for\n                     external users to those that are mandatory for internal users ............... 9\n                  \xc2\xb7 FSA does not require external entities to report on\n                     acknowledged internal control weaknesses....................................... 12\n                  \xc2\xb7 Impact of FSA\xe2\x80\x99s weaknesses in the process of granting external\n                     users access to NSLDS..................................................................... 12\n                  \xc2\xb7 Recommendations............................................................................ 13\n     FINDING 2 \xe2\x80\x93              FSA Does Not Ensure that External Users Accessing NSLDS\n                              Have a Substantially Established Business Relationship with\n                              the Borrower ........................................................................................ 13\n                              \xc2\xb7 FSA does not ensure that external users only at lenders and\n                                  lender servicers with a substantially established business\n                                  relationship with a borrower have access to the borrower\xe2\x80\x99s\n                                  NSLDS record ................................................................................. 13\n                              \xc2\xb7 Guaranty agencies and state grant agencies have appropriate\n                                  access to NSLDS.............................................................................. 16\n                              \xc2\xb7 Impact of FSA not ensuring that external users accessing\n                                  NSLDS have a substantially established business relationship\n                                  with the borrower............................................................................. 16\n                              \xc2\xb7 Recommendations............................................................................ 16\nDEPARTMENT COMMENTS ............................................................................................. 18\nOBJECTIVES, SCOPE, AND METHODOLOGY............................................................... 25\n\x0cFinal Report\nED-OIG/I13H0006                                                                     Page 1 of 32\n\n\n\n                                 EXECUTIVE SUMMARY\n\n\nThis report provides the results of our Review of the Department\xe2\x80\x99s Process for Granting Access\nto the National Student Loan Data System. Our inspection objectives were to (1) evaluate\nFederal Student Aid\xe2\x80\x99s (FSA) process for granting National Student Loan Data System (NSLDS)\nIDs and passwords to external users except for schools and borrowers and (2) determine whether\nthe extent of access FSA provides these external users is appropriate.\n\nFor our first objective, we found that:\n\n   A. FSA has weak control procedures for assigning the Lender Identification Numbers\n      (LIDs) that external entities are required to obtain before applying for access to NSLDS.\n      Specifically, FSA:\n         \xc2\xb7 Has not developed adequate procedures to oversee guaranty agencies\xe2\x80\x99 role in the\n             LID assignment process,\n         \xc2\xb7 Has not developed effective controls for assigning LIDs, and\n         \xc2\xb7 Does not verify the required agreements between guaranty agencies and lenders\n             during this process.\n\n   B. FSA\xe2\x80\x99s process for granting NSLDS IDs, passwords, and access to external users is weak.\n      Specifically, FSA:\n         \xc2\xb7 Does not provide adequate oversight of external users,\n         \xc2\xb7 Has not established equivalent security requirements for external users to those\n             that are mandatory for internal users, and\n         \xc2\xb7 Does not require external entities to report on acknowledged internal control\n             weaknesses.\n\nFSA\xe2\x80\x99s weaknesses in granting access to external users increases the risk for inappropriate\ndisclosure or unauthorized use of sensitive and personally identifiable information in NSLDS by\nexternal entities.\n\nFor our second objective, we found that FSA does not ensure that external users accessing\nNSLDS have a business relationship with the borrower. Specifically, FSA does not ensure that\nexternal users only at lenders and lender servicers with a substantially established business\nrelationship with a borrower have access to the borrower\xe2\x80\x99s NSLDS record. Lenders and lender\nservicers also have access to data that is not required for their Federal Family Education Loan\n(FFEL) Program business needs. Inappropriate access increases the potential for exposure of\nsensitive NSLDS data and personally identifiable information, including NSLDS reports that\ncontain the borrower\xe2\x80\x99s name, date of birth, and Social Security Number. We found that the\naccess given to guaranty agencies and state grant agencies is appropriate.\n\x0cFinal Report\nED-OIG/I13H0006                                                                                      Page 2 of 32\n\nWe recommend that the Acting Chief Operating Officer for FSA \xe2\x80\x93\n\n    1. Develop written procedures for assigning LIDs, including a standard appeal process.\n\n    2. Develop procedures to verify and evaluate the adequacy of agreements between the\n       guaranty agency and the lender and between the lender and the beneficial holder in an\n       Eligible Lender Trustee (ELT) arrangement1 before issuing a Lender Identification\n       Number.\n\n    3. Develop and implement control procedures, including edit checks, to monitor access to\n       NSLDS and hold Primary Destination Point Administrators (DPAs)2 accountable for\n       unauthorized usage.\n\n    4. Clarify and strengthen guidance to Primary DPAs to ensure that their users understand\n       and comply with the rules for NSLDS.\n\n    5. Develop a requirement for all users to certify that they have read and will comply with\n       the rules and authorized uses of NSLDS and require external users to obtain application\n       and computer security training prior to initial logon.\n\n    6. Require external entities to report internal control weaknesses over NSLDS access to\n       FSA. FSA should evaluate the weaknesses and take the appropriate action to safeguard\n       the system.\n\n    7. Require lenders, lender servicers, and ELTs to confirm and identify the nature of the\n       substantially established business relationship with the borrower before the borrower\xe2\x80\x99s\n       record is accessed.\n\n    8. Require lenders to report the date of the signed loan application during the initial request\n       for access to a borrower\xe2\x80\x99s record concerning a new or consolidation loan.\n\n    9. Require lenders accessing NSLDS concerning new or consolidation loans to maintain the\n       loan applications establishing their business relationship with the borrower.\n\nWe provided FSA with a copy of our draft report for comment. FSA did not disagree with our\ninspection results and concurred with some of our recommendations. FSA stated that there were\nseveral recommendations that it could not fully implement because it did not have the regulatory\nor statutory authority or the recommended solution would have unintended consequences if the\nchanges were implemented as suggested. FSA cited regulatory or statutory issues, but did not\nprovide any examples of unintended consequences that could result from our recommendations.\nWe modified some of our recommendations in response to FSA\xe2\x80\x99s comments\n\n1\n  An ELT is an arrangement between an eligible FFEL Program lender and an ineligible entity that enables the\nineligible entity to participate in the FFEL program. The eligible lender (eligible lender trustee) holds FFEL\nProgram loans in trust for the benefit of the ineligible entity (beneficial holder).\n2\n  The Primary DPA is the representative at each external entity that is responsible for determining who needs access\nto NSLDS and the type of access required by each user.\n\x0cFinal Report\nED-OIG/I13H0006                                                                                      Page 3 of 32\n\n\n\n                                             BACKGROUND\n\n\nSection 485B of the Higher Education Act of 1965 (HEA) authorizes the National Student Loan\nData System (NSLDS). NSLDS is a database of information about the Federal financial aid\nhistory of Title IV loans and Pell Grants. As the central database for selected Title IV student\nfinancial aid, NSLDS stores information about loans, grants, students, borrowers, lenders,\nguaranty agencies, schools, and servicers. It was designed to provide the following functions:\nprescreening for Title IV aid eligibility, default rate calculation, operations support, standardized\nstudent status confirmation reporting, borrower tracking, pre-claims assistance (PCA) and\nsupplemental PCA, Credit Reform Act support, and preparation of financial aid transcript\ninformation.\n\nNSLDS borrower information is organized into sections that include: (1) Loan History, (2)\nOverpayment History, (3) Pell Grant, and (4) Transfer Student Monitoring. Each section lists the\nborrower\xe2\x80\x99s name, Social Security Number, and date of birth. The web-only view limits users to\nthe Loan History section. The Loan History section reports student status with regard to default,\nforbearance, and deferment. It is also broken down into aggregate loan information, master\npromissory note information, and loan summary information.\n\nThe aggregate loan information lists the outstanding principal balance and the pending\ndisbursements for subsidized, unsubsidized, Federal Family Education Loan (FFEL)\nconsolidation, combined, and Federal Perkins loans. The master promissory note information\ndescribes the notes signed by the borrower. The loan summary information lists the specific\nloans for the borrower. For each loan, the loan detail information includes type, status, date of\norigination, school information, disbursed amount, guaranteed amount, outstanding principal\nbalance, the guarantor, and both past and current lenders.\n\nThe internal system users of NSLDS include Department of Education (Department), call center,\nand contractor employees. The external NSLDS users include students, guaranty agencies,\nschools, third-party servicers, lenders, lender servicers, state grant agencies, and entities in an\nEligible Lender Trustee (ELT) arrangement.3\n\nBefore applying for access to NSLDS, an external entity must first obtain an entity ID number\nassigned by FSA (e.g., Office of Postsecondary Education ID (OPEID) or Lender Identification\nNumber (LID)). The external entity must then complete the online Student Aid Internet\nGateway (SAIG) enrollment application at the Federal Student Aid (FSA) web enroll website.\nBy enrolling the organization in SAIG, the entity can exchange information electronically with\nthe Department. The external entity requests access to NSLDS through this SAIG enrollment\nprocess.\n\n\n3\n  An ELT is an arrangement between an eligible FFEL Program lender and an ineligible entity that enables the\nineligible entity to participate in the FFEL program. The eligible lender (eligible lender trustee) holds FFEL\nProgram loans in trust for the benefit of the ineligible entity (beneficial holder).\n\x0cFinal Report\nED-OIG/I13H0006                                                                   Page 4 of 32\n\nOngoing Office of Inspector General (OIG) investigations have identified what appear to be\nunauthorized activities by external NSLDS users. On April 17, 2007, FSA temporarily\nsuspended access to NSLDS by all external entities except schools and borrowers. According to\nFSA, it needed to examine NSLDS access rules to ensure that the privacy rights of borrowers in\nNSLDS were being protected, as required by the Privacy Act of 1974, and that users were\naccessing NSLDS only for authorized purposes.\n\nOn May 2, 2007, FSA began to notify entities of the phased-in reinstatement process for access\nto NSLDS. FSA\xe2\x80\x99s policies provided that access to NSLDS would be restored to an entity only\nafter FSA had determined that restoration was appropriate based on its analysis of access and\nusage information for each entity. FSA started the process with guaranty agencies, followed by\nlenders and later state grant agencies. As of December 2007, FSA had not developed\nreinstatement procedures to phase in ELTs and had not determined whether they will be allowed\nto apply for access to NSLDS.\n\nFSA has been working with guaranty agencies, lenders, and lender servicers to reinstate their\naccess to NSLDS. As of December 26, 2007, 40% of the entity codes that had access to NSLDS\non April 17, 2007 had been reinstated.\n\n                                      Number of entity codes with NSLDS access\n          Type of external entity       April 17, 2007       December 26, 2007\n          Guaranty Agency                     36                    36\n          Lender                            239                     61\n          Lender Servicer                     24                    24\n          Total                             299                    121\n\nFSA revoked access for all state grant agencies on April 17, 2007, and asked the state grant\nagencies to reapply for NSLDS access. As of December 26, 2007, NSLDS had granted access to\neight state grant agencies.\n\x0cFinal Report\nED-OIG/I13H0006                                                                        Page 5 of 32\n\n\n\n                                 INSPECTION RESULTS\n\n\nThe objectives for this inspection were to (1) evaluate Federal Student Aid\xe2\x80\x99s (FSA) process for\ngranting NSLDS IDs and passwords to external users except for schools and borrowers and (2)\ndetermine whether the extent of access FSA provides these external users is appropriate. We\nfound that \xe2\x80\x93\n\n   1A. FSA has weak control procedures for assigning the LIDs that external entities are\n       required to obtain before applying for NSLDS IDs and passwords that provide access to\n       NSLDS,\n   1B. FSA\xe2\x80\x99s process for granting NSLDS IDs, passwords, and access to external users is\n       weak, and\n   2.  FSA does not ensure that external users accessing NSLDS have a substantially\n       established business relationship with the borrower.\n\nFINDING 1A \xe2\x80\x93 FSA has Weak Controls over the Process of Assigning Lender\n             Identification Numbers\n\nIn answering our first objective, we found that FSA has weak controls over the process of\nassigning LIDs. Specifically, FSA \xe2\x80\x93\n\n   \xc2\xb7   Has not developed adequate procedures to oversee the guaranty agencies\xe2\x80\x99 LID\n       applications on behalf of lenders\n   \xc2\xb7   Has not developed effective controls for assigning LIDs, and\n   \xc2\xb7   Does not verify the guaranty agency-lender agreements needed for lender participation in\n       the FFEL Program.\n\nThe Government Accountability Office (GAO) Standards for Internal Control in the Federal\nGovernment emphasizes the importance of strong internal controls. The control environment\nstandard states that a \xe2\x80\x9cpositive control environment is the foundation for all other standards\xe2\x80\x9d and\n\xe2\x80\x9c[m]anagement\xe2\x80\x99s philosophy and operating style also affect the environment.\xe2\x80\x9d The\n\xe2\x80\x9corganizational structure\xe2\x80\x9d and the \xe2\x80\x9cmanner in which the agency delegates authority\xe2\x80\x9d also affect\nthe control environment. The standards also emphasize the importance of control activities,\nwhich \xe2\x80\x9chelp ensure that actions are taken to address risks. Control activities are an integral part\nof an entity\xe2\x80\x99s planning, implementing, reviewing, and accountability for stewardship of\ngovernment resources and achieving effective results.\xe2\x80\x9d\n\nFSA has not developed adequate procedures to oversee the guaranty agencies\xe2\x80\x99 Lender\nIdentification Number applications on behalf of lenders\nTo participate as an eligible lender in the FFEL Program, as provided for in 34 C.F.R.\n\xc2\xa7 682.401(b)(19)(A), a lender must work with a guaranty agency to apply for an LID. The\nregulations at 34 C.F.R. \xc2\xa7 682.401(b)(7) state that a lender can participate under reasonable\ncriteria established by a guaranty agency. The regulations specify that the guaranty agency may\n\x0cFinal Report\nED-OIG/I13H0006                                                                         Page 6 of 32\n\nevaluate the lender using its own criteria except to the extent that (1) the lender\xe2\x80\x99s eligibility has\nbeen limited, suspended, or terminated, (2) the lender is disqualified by the Secretary, or (3) the\nstate constitution prohibits the lender\xe2\x80\x99s eligibility. The regulations further specify that the\nguaranty agency may consider the lender\xe2\x80\x99s experience in handling loan programs and the\npercentage of loans currently in delinquent or default status. FSA, however, does not know what\ncriteria the guaranty agencies are using to evaluate lenders in this area because FSA has not\ndeveloped procedures to assess the criteria being used by guaranty agencies in evaluating\nlenders.\n\nFSA has not developed effective controls for assigning Lender Identification Numbers\nFSA\xe2\x80\x99s Office of the Chief Financial Officer (OCFO) requires guaranty agencies to submit LID\napplications on behalf of lenders. FSA has delegated the responsibility of assigning LIDs to one\nprimary staff member in FSA\xe2\x80\x99s OCFO without developing formal written policies and\nprocedures for assigning LIDs. Although FSA has an informal appeal process for lenders who\nare denied an LID, FSA has not established a standard appeal process.\n\nWeak control activities over the assignment of LIDs are a threat to controlling access to NSLDS\nbecause obtaining an LID is required for lenders to participate in the FFEL Program and gain\naccess to NSLDS. Without written procedures, FSA has no assurance that the process of\nassigning LIDs is performed systematically to ensure that only eligible entities are allowed to\napply for NSLDS access. Assigning responsibility to a single person without documented\nprocedures makes FSA vulnerable if the individual is not available to perform these functions.\nWithout segregation of duties, assignment of LIDs is susceptible to error and abuse. Weak\ncontrol procedures increase the chance that risks may not be systematically identified and may\njeopardize the sensitive data and personally identifiable information contained within NSLDS.\n\nFSA does not verify agreements\nThe regulations at 34 C.F.R. \xc2\xa7 682.401(b)(19) state that a guaranty agency must ensure \xe2\x80\x9cthat all\nlenders in its program meet the definition of \xe2\x80\x98eligible lender\xe2\x80\x99 in section 435(d) of the [HEA] and\nhave a written lender agreement with the agency.\xe2\x80\x9d To become an eligible lender, a lender must\nsign an agreement with a guaranty agency as part of the LID application process. FSA neither\nverifies that the lender and guaranty agency have signed an agreement nor requests or receives a\ncopy of the agreement. As a result, FSA does not know whether the guaranty agency and lender\nhave an ongoing agreement, what is in the agreement, and for what the guaranty agencies are\nholding lenders accountable. While the regulations do not state what must be in the agreements,\nFSA has no assurance that the agreements are in line with the requirements of the FFEL\nProgram, that lenders understand their responsibilities for compliance under the program, or\nwhether the agreements are consistent across guaranty agencies and lenders.\n\nWhen issuing LIDs for ELT arrangements, FSA does not verify or request a copy of the ELT\nagreement. FSA does not have a formal relationship with beneficial holders. As specified in 34\nC.F.R. \xc2\xa7 682.203(b), a lender that holds a loan in its capacity as a trustee assumes responsibility\nfor complying with all statutory and regulatory requirements imposed on any other holders of a\nloan. Because FSA does not verify or request a copy of the ELT agreements, FSA does not\nknow what is in the agreements and has no assurance that the lender trustees have informed the\nbeneficial holders of FFEL Program requirements or included provisions to ensure compliance\n\x0cFinal Report\nED-OIG/I13H0006                                                                     Page 7 of 32\n\nby the beneficial holders. FSA cannot evaluate whether the agreements between lender trustees\nand beneficial holders would require that the ELT receive an LID or whether the lender trustee\nwill monitor the actions of the beneficial holder to ensure FFEL Program integrity.\n\nFSA\xe2\x80\x99s General Manager of Business Operations informed us that NSLDS staff allowed\nbeneficial holders to gain access to NSLDS because she understood that FSA\xe2\x80\x99s OCFO verified\nthe ELT agreements and had determined that the ELT was an eligible FFEL Program participant\nbecause it was issued an LID. As a result, Business Operations and NSLDS staff members\nincorrectly assume ELT agreements are verified during the LID issuance process.\n\nFSA\xe2\x80\x99s control environment is weak due to management\xe2\x80\x99s operating style of not requiring lenders\nto submit required agreements with guaranty agencies and other documentation to verify\nconditions of eligibility and assuming without verification that organizational components have\nmade critical eligibility determinations. The delegation of responsibility for assigning LIDs to\none primary staff member without formal written policies and procedures also indicates a weak\ncontrol environment. In addition, the lack of segregation of duties and responsibilities is a\ncontrol activity weakness that increases the risk of error and abuse.\n\nImpact of FSA\xe2\x80\x99s weak controls over the process of assigning Lender Identification\nNumbers\nFSA\xe2\x80\x99s weak control environment contributes to the inadequate control activities and the lack of\npolicies and procedures used to control the process of assigning LIDs. The weak controls impact\nand affect all Department systems accessible by lenders. The weak controls could permit\nunauthorized access or pass vulnerabilities to the NSLDS system, which stores borrower loan\ninformation and information protected by the Privacy Act of 1974.\n\nRecommendations\nWe recommend that the Acting Chief Operating Officer for FSA \xe2\x80\x93\n\n   1.1 Develop written procedures for assigning LIDs, including a standard appeal process.\n\n   1.2 Develop procedures to verify and evaluate the adequacy of agreements between the\n       guaranty agency and the lender before issuing an LID.\n\n   1.3 Develop procedures to verify and evaluate the adequacy of ELT agreements between\n       the lender and the beneficial holder before issuing an LID.\n\n   1.4 Obtain and verify current agreements between guaranty agencies and lenders and\n       between lenders and beneficial holders in an ELT arrangement.\n\x0cFinal Report\nED-OIG/I13H0006                                                                       Page 8 of 32\n\nFINDING 1B \xe2\x80\x93 FSA\xe2\x80\x99s Process for Granting NSLDS IDs, Passwords, and Access to\n             External Users is Weak\n\nIn reviewing FSA\xe2\x80\x99s process for granting NSLDS IDs and passwords to external users, we found\nthat FSA \xe2\x80\x93\n\n   \xc2\xb7   Does not provide adequate oversight of external users,\n   \xc2\xb7   Has not established equivalent security requirements for external users to those that are\n       mandatory for internal users, and\n   \xc2\xb7   Does not require external entities to report on acknowledged internal control weaknesses.\n\nFSA does not provide adequate oversight of external users\nFSA employs a model where a representative from each external entity, known as the Primary\nDestination Point Administrator (DPA), is responsible for determining who needs access to\nNSLDS and the type of access required by each user. FSA requires the Primary DPAs to enroll\nusers at their entities and relies on the Primary DPAs to know which entity employees need\naccess to NSLDS. FSA expects the Primary DPAs to evaluate and verify prospective users\xe2\x80\x99 need\nfor access and then to submit the users\xe2\x80\x99 information and application to FSA on the users\xe2\x80\x99 behalf.\nFSA receives applications from the Primary DPAs for review and approval. Once an external\nuser is approved for NSLDS access, NSLDS generates the User ID and the staff mails the User\nID directly to the external user. In a separate mailing, the NSLDS staff provides an initial\npassword to the external user, along with the \xe2\x80\x9cInstructions for NSLDS Users,\xe2\x80\x9d which describes\nthe rules and authorized uses of NSLDS. FSA does not require external users to sign a statement\ncertifying that they have read and will comply with the instructions.\n\nFSA trusts the Primary DPAs to oversee user NSLDS access at their entities, but has not\nprovided guidance on what the Primary DPA\xe2\x80\x99s specific oversight activities should entail. The\nonly assurance FSA has that Primary DPAs will fulfill their responsibilities and ensure that the\nusers adhere to the rules and authorized use of NSLDS is a certification provided with the\napplication from the entity\xe2\x80\x99s Chief Executive Officer (CEO) and Primary DPA.\n\nPrior to the shutdown of NSLDS on April 17, 2007, Primary DPAs were required to sign a\nstatement certifying that they agreed to the Primary DPA responsibilities and would comply with\napplicable rules and regulations. This certification applied to systems in FSA\xe2\x80\x99s Electronic Data\nExchange (EDE), such as NSLDS. FSA did not require Primary DPAs to sign a certification\nspecifically for NSLDS. These were the only instructions provided to Primary DPAs regarding\ntheir roles and responsibilities.\n\nDue to concerns about access to NSLDS and potential misuse of the system, FSA issued Dear\nColleague Letter GEN-05-06/FP-05-04 in April 2005 to remind the financial aid community that\nNSLDS users are responsible for using their access properly and for protecting the sensitive data\nand personally identifiable information contained in the system. FSA, however, has no\nassurance that all NSLDS users received actual notice of the letter since the letter was only\nposted to a website or sent to individuals on a listserv.\n\x0cFinal Report\nED-OIG/I13H0006                                                                       Page 9 of 32\n\nThe materials provided to external entities for reinstatement to NSLDS have provided strong and\nclear requirements to the entity leaders and Primary DPAs. The reinstatement materials clearly\ndescribe the authorized uses of NSLDS, user responsibilities, and the penalties associated with\nmisuse of NSLDS. Although the reinstatement materials are a good start, FSA has infrequent\ncommunication with Primary DPAs and does not provide guidance to DPAs on the specific\nactions FSA would expect DPAs to perform in monitoring their users. The reinstatement\nmaterials also do not provide any provision for external users to certify that they know and\nunderstand their NSLDS responsibilities.\n\nFSA has proposed, but not yet implemented, an active Primary DPA recertification process\nwhere Primary DPAs will be required to annually recertify that each of their users still requires\nNSLDS access or FSA will terminate the user\xe2\x80\x99s access. Prior to the temporary suspension of\naccess to NSLDS, FSA utilized a passive user recertification process. Under this process, the\nPrimary DPA annually received a listing of the entity\xe2\x80\x99s users, but the Primary DPA was not\nrequired to validate that the organization\xe2\x80\x99s users still needed access and the information was\naccurate.\n\nFSA has partnered with external entities and Primary DPAs to more easily manage the user\nenrollment process, but FSA has not implemented the proper controls to manage the high risks\nassociated with trusting and providing this level of control to Primary DPAs. Without proper\noversight, the Primary DPA model introduces an opportunity for entities and users to abuse their\naccess to NSLDS. The steps that FSA has taken to reinstate access to the entities do not provide\nadequate oversight of Primary DPAs because FSA has not developed any control activities to\nensure that Primary DPAs are fulfilling their NSLDS responsibilities.\n\nFSA has not established equivalent security requirements for external users to those that\nare mandatory for internal users\nThe security requirements for external users are much weaker than the requirements for internal\nusers with the same level of NSLDS access. FSA checks to ensure that external users do not\nhave a defaulted student loan, but FSA does not require external users to:\n\n   \xc2\xb7   Certify that they have read and will comply with the rules and instructions for NSLDS,\n   \xc2\xb7   Obtain favorable background checks, and\n   \xc2\xb7   Take any application or computer security training.\n\nNational Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 1,\nRecommended Security Controls for Federal Information Systems, emphasizes the importance of\nstrong security controls and describes the minimum controls for Federal government information\nsystems. Office of Management and Budget (OMB) Circular No. A-130, Appendix III, Security\nof Federal Automated Information Resources also \xe2\x80\x9cestablishes a minimum set of controls to be\nincluded in Federal automated information security programs\xe2\x80\x9d and requires agencies to\n\xe2\x80\x9cimplement and maintain a program to assure that adequate security is provided for all agency\ninformation collected, processed, transmitted, stored, or disseminated in general support systems\nand major applications.\xe2\x80\x9d\n\x0cFinal Report\nED-OIG/I13H0006                                                                      Page 10 of 32\n\nInternal user view-only web access is similar to the external user view-only web access, except\nthat different reports are available to internal users based on the user\xe2\x80\x99s organizational\nclassification. All internal users complete a User Participation Request Form that lists their\ncurrent Department clearance level, along with their name, title, work information, Social\nSecurity Number, mother\xe2\x80\x99s maiden name, date of birth, organization, and supervisor\xe2\x80\x99s signature.\nThe internal user applicant is required to read and sign Appendix A: Rules of Behavior to\ncomplete the NSLDS application package. Before granting access to NSLDS and creating a user\npassword, the NSLDS System Security Officer reviews the forms and confirms the internal\nuser\xe2\x80\x99s security clearance and date of clearance with Human Resources Personnel Security.\n\nFSA does not require external users to certify that they have read and will comply with the rules\nand instructions for NSLDS\nNIST describes the planning requirements for rules of behavior:\n\n       The organization establishes and makes readily available to all information\n       system users a set of rules that describes their responsibilities and expected\n       behavior with regard to information and information system usage. The\n       organization receives signed acknowledgement from users indicating that they\n       have read, understand, and agree to abide by the rules of behavior, before\n       authorizing access to the information system and its resident information.\n\nAlthough all NSLDS users electronically certify at login that they are accessing a restricted\nsystem and are consenting to the Privacy Act\xe2\x80\x99s requirements, external users are not required to\ncertify that they have read and complied with system rules and responsibilities.\n\nSection 2.3 of the NSLDS Security Plan requires that all internal users sign the NSLDS Rules of\nBehavior Form during the NSLDS ID application process, but it does not include a similar\nrequirement for external users. As part of the application process, all external users are required\nto sign a document certifying that they have read the rules and responsibilities for FSA EDE\nsystems. This certification is then maintained by the Primary DPA. Although NSLDS external\nusers certify that they have read and will adhere to the Privacy Act\xe2\x80\x99s requirements, NSLDS\nexternal users are not required to sign a document or electronically certify that they have read\nand will comply with the authorized uses of NSLDS.\n\nFSA does not comply with the NIST standard because it does not require external users to certify\nthat they have read and will comply with the rules and authorized uses of NSLDS before\naccessing the system. Therefore, FSA cannot ensure that external users understand their roles\nand will responsibly use the system for only authorized purposes. If external users were required\nto sign a certification for proper NSLDS usage like internal users, it would help hold individuals\naccountable for their actions and help ensure that each user was completely aware of his or her\nresponsibilities.\n\nFSA does not require external users to obtain favorable background checks\nNIST provides the following requirements for personnel security: \xe2\x80\x9cThe organization screens\nindividuals requiring access to organizational information and information systems before\nauthorizing access.\xe2\x80\x9d Departmental Directive OM:5-101, Contractor Employee Personnel\n\x0cFinal Report\nED-OIG/I13H0006                                                                      Page 11 of 32\n\nSecurity Screenings, specifies that contractor employees that require access to Privacy Act-\nprotected information obtain at least a 5C security clearance for Moderate Risk positions.\nAlthough external users of NSLDS also have access to Privacy Act information, external users\nare not subject to any additional security checks before gaining access to NSLDS.\n\nFSA does not require external users to take any application or computer security training\nNIST provides the following requirements for security awareness and training: \xe2\x80\x9cThe\norganization provides basic security awareness training to all information system users\n(including managers and senior executives) before authorizing access to the system, when\nrequired by system changes, and [at least annually] thereafter.\xe2\x80\x9d In addition, OMB Circular No.\nA-130, Appendix III, Security of Federal Automated Information Resources requires specialized\ntraining requirements to be included in system security plans:\n\n       Before allowing individuals access to the application, ensure that all individuals\n       receive specialized training focused on their responsibilities and the application\n       rules. This may be in addition to the training required for access to a system.\n       Such training may vary from a notification at the time of access (e.g., for\n       members of the public using an information retrieval application) to formal\n       training (e.g., for an employee that works with a high-risk application).\n\nExternal users, unlike internal users, are not required to complete application or computer\nsecurity training prior to accessing NSLDS. Though the NSLDS Security Plan has several\nsections devoted to security and application training, it requires mandatory, annual computer\nsecurity awareness training only for internal users (Department and contractor employees).\nSection 3.8.2 of the NSLDS Security Plan specifies that contractor employees will receive\nannual security training for the following topics: NSLDS Security Training, General Security,\nPersonnel Security, User IDs and passwords, System Security (application protection levels and\nfunctional groups), Physical Security, and the Privacy Act Statement \xe2\x80\x93 Non-Disclosure\nStatement.\n\nSection 4.1.2.4 of the NSLDS security plan provides the following for external user training:\n\xe2\x80\x9cUsers of NSLDS Financial Aid Professional Web site receive instruction via the Help pages.\xe2\x80\x9d\nExternal users are not required to receive training to access the system, but instead receive\ninstruction only through help pages. The help pages include a link that directs the user to a\ngeneral Department page on site security and intrusion detection. The Department\xe2\x80\x99s page does\nnot include specific security information for NSLDS. Though Section 3.8.1 of the NSLDS\nSecurity Plan explains that NSLDS staff will deliver a comprehensive awareness program at\nconferences, such as with the National Association of Student Financial Aid Administrators\n(NAFSAA) conferences, FSA cannot ensure that all external users receive training on both\nNSLDS application features and system security.\n\nFSA does not comply with the security training requirement for external users, as specified in the\nNIST standard. FSA does not require external users to take NSLDS application and computer\nsecurity training at least once before gaining access to the system as it does for internal users.\nTherefore, FSA has no assurance that external users are aware of the security requirements or\n\x0cFinal Report\nED-OIG/I13H0006                                                                       Page 12 of 32\n\nwill comply with computer security rules and will safeguard the sensitive data and personally\nidentifiable information contained in NSLDS.\n\nFSA does not require external entities to report on acknowledged internal control\nweaknesses\nThe independent auditors for entities are required to report material internal control weaknesses\nin the financial statement audit, but only as they relate to the financial statements. The NSLDS\nAccess Certification requires the Primary DPA and the CEO to certify:\n\n       We have disclosed to our independent auditors and to any audit committee all\n       significant deficiencies in the design and operation of the internal controls that\n       could adversely affect the ability of the agency to ensure compliance with the\n       requirements for NSLDS access, as well as any fraud, whether or not material,\n       that involves management or any other employee connected to the agency\xe2\x80\x99s\n       access to NSLDS.\n\nThe Director of NSLDS stated that she expects independent auditors to properly disclose any\ndeficiencies to FSA through the financial statement audit. She stated that she also expects that\nthe FSA Office of Program Compliance will take the necessary steps to evaluate the entity\xe2\x80\x99s\ninternal control weaknesses. The Director of NSLDS explained that FSA does not require\nexternal entities to directly report internal control weaknesses to FSA, but that the internal\ncontrol weaknesses would be reported in the financial statement audit. The Department does not\nreceive financial statement audits from lenders, lender servicers, ELTs, or beneficial holders.\nThe Department does receive compliance audits from lenders and lender servicers. In addition,\nthe guide for these compliance audits does not require any internal control reporting.\n\nThe internal control weaknesses that would be reported to FSA as part of a financial statement\naudit conducted in compliance with Generally Accepted Government Auditing Standards would\nbe only those weaknesses that would have a material effect on the financial statements taken as a\nwhole. There could be weaknesses in the internal controls at an external entity that are not\nmaterial to the financial statements, but could be a significant NSLDS security concern to the\nDepartment.\n\nImpact of FSA\xe2\x80\x99s weaknesses in the process of granting external users access to NSLDS\nThe weaknesses in the process are caused by FSA\xe2\x80\x99s lack of oversight of external entities, such as\nlenders, lender servicers, and beneficial holders. FSA\xe2\x80\x99s enrollment model lacks checks or\ncontrols to ensure that external users know their roles and responsibilities. In addition, FSA does\nnot sufficiently oversee the Primary DPAs as discussed in Finding 1A. There is a risk that the\nprocess can be misused by external entities to use sensitive and personally identifiable\ninformation in NSLDS for unauthorized purposes. OIG is currently conducting criminal\ninvestigations into allegations of unlawful access and use of NSLDS. During the course of these\nopen investigations, OIG has identified DPAs that have criminal records for various felony\noffenses. These offenses include burglary, passing worthless checks, and sale/distribution and\npossession of cocaine.\n\x0cFinal Report\nED-OIG/I13H0006                                                                     Page 13 of 32\n\nIn addition, FSA has not yet implemented several enhancements and controls within NSLDS.\nFSA officials have also said that new systems, Integrated Partner Management (IPM) and\nSecurity Architecture, which have not yet been developed, will create a stronger control\nenvironment for NSLDS. Overall, FSA has not implemented all of the necessary controls\nrequired for the security of the system.\n\nRecommendations\nWe recommend that the Acting Chief Operating Officer for FSA \xe2\x80\x93\n\n   1.5 Clarify and strengthen guidance to Primary DPAs to ensure that their users understand\n       and comply with the rules for NSLDS.\n\n   1.6 Develop and implement control procedures, including edit checks, to monitor access to\n       NSLDS and hold Primary DPAs accountable for unauthorized usage.\n\n   1.7 Develop a requirement for all users to certify that they have read and will comply with\n       the rules and authorized uses of NSLDS and require external users to obtain application\n       and computer security training prior to initial logon.\n\n   1.8 Require external entities to report all internal control weaknesses over NSLDS access\n       to FSA. FSA should evaluate the weaknesses and take the appropriate action to\n       safeguard the system.\n\n\nFINDING 2 \xe2\x80\x93 FSA Does Not Ensure that External Users Accessing NSLDS Have a\n            Substantially Established Business Relationship with the Borrower\n\nOur second objective was to determine whether the extent of access FSA provides these external\nusers is appropriate. We determined that FSA does not ensure that external users only at entities\nwith a substantially established business relationship with a borrower have access to the\nborrower\xe2\x80\x99s NSLDS record. Lenders and lender servicers also have access to data that is not\nrequired for their FFEL Program business needs.\n\nThe GAO Standards for Internal Control in the Federal Government specify that there should be\n\xe2\x80\x9crestrictions on users to allow access only to system functions that they need.\xe2\x80\x9d In addition,\n\xe2\x80\x9c[a]ccess to resources and records should be limited to authorized individuals, and accountability\nfor their custody and use should be assigned and maintained.\xe2\x80\x9d\n\nFSA does not ensure that external users only at lenders and lender servicers with a\nsubstantially established business relationship with a borrower have access to the\nborrower\xe2\x80\x99s NSLDS record\nThe NSLDS data available to lenders and lender servicers includes enrollment status, loan\nrepayment status, and the borrower\xe2\x80\x99s FFEL Program loan history including loans not held by the\nlender or serviced by the lender servicer. Lenders and lender servicers are limited to view-only\naccess in NSLDS and do not have updating capabilities like schools and guaranty agencies.\n\x0cFinal Report\nED-OIG/I13H0006                                                                      Page 14 of 32\n\nBefore suspension of access, users at beneficial holders in an ELT arrangement also had the\nsame NSLDS access as lender and lender servicers.\n\nThere are three primary business relationships that lenders and lender servicers have with\nborrowers: (1) originating and disbursing loans, (2) servicing loans, and (3) consolidating loans.\nThe NSLDS reinstatement materials further break down these duties and specify that access for\nusers at lender and lender servicers is limited to the following six activities: (1) consolidating\nlender, (2) loan holder, (3) enrollment, (4) accuracy, (5) deferments, and (6) default rates.\n\nOriginating and disbursing loans. Lenders are responsible for originating and disbursing loans.\nIn relation to these duties, part of a lender\xe2\x80\x99s due diligence includes checking student eligibility\nand ensuring that there is a valid signed promissory note. To be eligible for a FFEL Program\nloan a borrower must not exceed the aggregate and annual loan amounts, must be enrolled at an\neligible institution, and must not be in default on any Title IV loans. Lenders may use NSLDS\nfor evaluating borrower eligibility, although the Department\xe2\x80\x99s policy is that lenders can rely on a\nschool\xe2\x80\x99s certification of a borrower\xe2\x80\x99s eligibility because schools are required to make this\ndetermination before certifying a loan application.\n\nAn originating and disbursing lender in the FFEL Program would require only four pieces of\ninformation from NSLDS: (1) aggregate loan amounts, (2) annual loan amounts, (3) enrollment\nstatus, and (4) default status. As noted above, lenders currently have access to additional\ninformation in a borrower\xe2\x80\x99s record that is not needed to establish borrower eligibility.\n\nServicing loans. To service a loan, a lender needs information on a borrower\xe2\x80\x99s enrollment\nstatus, default status, and whether the borrower has been granted deferment or forbearance. In\naddition, much of the current lender use of NSLDS is in relation to a lender\xe2\x80\x99s customer service\nand counseling functions, which require access to information in the borrower\xe2\x80\x99s NSLDS record.\nTo perform servicing functions, lenders do not need access to information on loans they do not\nhold. Therefore, lender access to NSLDS should be limited to only the loans they hold and\nsummary data of the borrower\xe2\x80\x99s loan history.\n\nLender customer service and counseling would be limited to the loans a lender holds unless a\nlender is counseling a borrower regarding consolidation. Since the lenders have the most current\nloan detail information on the loans they hold, they do not need loan detail information from\nNSLDS to counsel borrowers. Should a lender determine that access to the borrower\xe2\x80\x99s entire\nloan history would assist in counseling a borrower, the lender should first receive permission\nfrom the borrower. The borrower should directly notify NSLDS to provide the lender with\naccess to the borrower\xe2\x80\x99s entire loan history.\n\nConsolidating loans. A consolidating lender requires access to a borrower\xe2\x80\x99s full loan history,\nincluding loans not held by the lender. Presently, a consolidating lender needs a borrower\xe2\x80\x99s\nsigned and completed application in order to access the borrower\xe2\x80\x99s record for consolidation\npurposes.\n\x0cFinal Report\nED-OIG/I13H0006                                                                       Page 15 of 32\n\nFSA does not ensure that a borrower\xe2\x80\x99s NSLDS record is accessed only by lenders and lender\nservicers with one of the above business relationships with the borrower. According to FSA\xe2\x80\x99s\nOmbudsman, borrowers have unwittingly allowed a consolidating lender to access their records\nwithout a full understanding of the process. The Ombudsman explained that in some cases\nmarketers purchase partial information from credit bureaus and call borrowers on the phone, talk\nvery rapidly, and portray themselves as being associated with the Department. An Ombudsman\nSpecialist stated that the marketer will lead students into thinking that they will receive more\ninformation about a consolidation loan. Though marketing is an explicitly prohibited activity,\nmarketers have used this method to obtain the information necessary to access a borrower\xe2\x80\x99s\nrecord in NSDLS.\n\nFSA has informed consolidating lenders that they should access NSLDS only when they have\nreceived a signed consolidation application. Apart from the instructions to the lenders, FSA does\nnot have controls to prevent or monitor whether consolidating lenders access borrower records\nprior to receipt of the signed application and has no assurance that the student is aware that the\nlender has access to his or her record in NSLDS. To ensure the security of the system and the\nborrower, the signed application should be dated and steps taken to ensure access is appropriate\nand does not occur before the application date. Such action could entail requiring the lender to\nenter the consolidation application date before being granted access to the borrower\xe2\x80\x99s entire loan\nhistory in NSLDS, or having the borrower notify FSA to grant permission for the lender to\naccess the borrower\xe2\x80\x99s entire loan history. FSA could also confirm the borrower\xe2\x80\x99s authorization\nin writing to verify the action with the borrower. In addition, a borrower\xe2\x80\x99s record should be\nlimited to one consolidating lender at any time and access to the lender can be provided on a\ntime-limited basis.\n\nBeneficial holders in an Eligible Lender Trustee agreement\nPrior to the April 2007 shutdown of NSLDS, beneficial holders had the same level of access as\nlenders. According to data provided by FSA, 237 of 5,574 users at entities in an ELT agreement\nwere classified as potential abusers. Of the 1,752 users at lenders not in an ELT agreement, FSA\nidentified only 14 potential abusers.\n\nBeneficial holders do not have a formal relationship with the Department but are participants in\nthe FFEL Program by virtue of the ELT agreement with an eligible lender. FSA does not obtain\nor verify the ELT agreement to ensure that the beneficial holder has legitimate FFEL Program\nfunctions that would require access to NSLDS. FSA has no assurance that beneficial holders in\nan ELT relationship have a legitimate, substantially established business relationship with a\nborrower and therefore should have access to the borrower\xe2\x80\x99s record.\n\nIn order for a non-consolidating lender to perform its duties, it needs access only to the loans it\nholds and summary default information on aggregate loan amounts, annual loan amounts,\nenrollment status, and whether the borrower is in default, forbearance, or deferment. Providing\naccess to borrower data to lenders, lender servicers, and ELTs without controls to confirm a\nviable business relationship with the borrower is a weakness in FSA\xe2\x80\x99s internal controls.\n\x0cFinal Report\nED-OIG/I13H0006                                                                        Page 16 of 32\n\nGuaranty agencies and state grant agencies have appropriate access to NSLDS\nGuaranty agencies have access to a borrower\xe2\x80\x99s full loan history and have the ability to update a\nborrower\xe2\x80\x99s NSLDS record. According to the regulations, guaranty agencies are responsible for\nguaranteeing a loan and for reviewing school and lender eligibility. In the NSLDS reinstatement\nmaterials, the specific user functions for guaranty agencies are limited to the following activities:\n\n      1. Determining a person\xe2\x80\x99s eligibility for Title IV student aid\n      2. Billing and collecting on a Title IV loan or grant\n      3. Enforcing the terms on a Title IV loan\n      4. Submitting student enrollment information\n      5. Ensuring the accuracy of a financial aid or borrower record\n      6. Assisting with default aversion activities\n      7. Obtaining default rate information\n      8. Updating an NSLDS record\n      9. Teacher Loan Forgiveness Update\n      10. Compliance\n\nIn order to accomplish their duties, including updating borrower records and compliance,\nguaranty agencies require access to a borrower\xe2\x80\x99s NSLDS record. As of September 6, 2007, all\n35 guaranty agencies have been re-enrolled into the system.4\n\nAccording to the NSLDS reinstatement materials, state grant agencies functions are limited to (1)\ndefault/overpayment status of loans, (2) enrollment, (3) loan forgiveness or loan cancellation,\nand (4) other activities consistent with the guidance provided in the materials. Access by state\ngrant agencies is limited to records of in-state residents, non-residents who list an institution that\nis within the state but do not indicate that state as their legal residence, and students who sign a\nform releasing their data. As of December 26, 2007, eight state grant agencies had re-enrolled\ninto the system.\n\nImpact of FSA not ensuring that external users accessing NSLDS have a substantially\nestablished business relationship with the borrower\nAccess by entities without a substantially established business relationship with a borrower\nopens NSLDS up to increased exposure of sensitive data and personally identifiable information.\nLenders and lender servicers, in terms of volume and self-interest, are the most risky of the\nexternal entities.\n\nRecommendations\nWe recommend that the Acting Chief Operating Officer for FSA \xe2\x80\x93\n\n      2.1 Require lenders, lender servicers, and ELTs to confirm and identify the nature of the\n          substantially established business relationship with the borrower before the borrower\xe2\x80\x99s\n          record is accessed.\n\n\n\n4\n    One guaranty agency has two Guarantor Identification Numbers.\n\x0cFinal Report\nED-OIG/I13H0006                                                                   Page 17 of 32\n\n  2.2 Require lenders to report the date of the signed loan application during the initial\n      request for access to a borrower\xe2\x80\x99s record concerning a new or consolidation loan.\n\n  2.3 Require lenders accessing NSLDS concerning new or consolidating lenders to maintain\n      the loan applications establishing their business relationship with the borrower.\n\x0cFinal Report\nED-OIG/I13H0006                                                                                      Page 18 of 32\n\n\n\n                                      DEPARTMENT COMMENTS\n\n\nOn April 14, 2008, we provided FSA with a copy of our draft report for comment. FSA\nprovided its comments to the report on May 28, 2008. FSA did not disagree with our inspection\nresults and concurred with some of our recommendations. A copy of FSA\xe2\x80\x99s comments, in their\nentirety, is attached to this report.\n\nGeneral Comments\nFSA stated that there were several recommendations that it could not fully implement because it\ndid not have the regulatory or statutory authority or the recommended solution would have\nunintended consequences if the changes were implemented as suggested. FSA cited regulatory\nor statutory issues for recommendations 1.2, 1.3, and 1.4, but did not provide any examples of\nunintended consequences that could result from our recommendations.\n\nRecommendation 1.1\nDevelop written procedures for assigning LIDs, including a standard appeal process.\n\nFSA Comments\nFSA agreed with this recommendation. FSA stated that in January 2008, it developed and\nimplemented written procedures for assigning LIDs, including a challenge/appeal process.\n\nOIG Response\nWhile FSA has developed written procedures for assigning LIDs, the procedures do not address\nRecommendations 1.2 and 1.3. FSA\xe2\x80\x99s procedures should require the lender, guarantor, or the\nbeneficial holder in an ELT arrangement to submit agreements between the guaranty agency and\nthe lender and between the lender and the beneficial holder. For example, FSA does not know\nthe criteria for which lenders are holding beneficial holders accountable, and there is no mention\nin the policies and procedures about informing lenders throughout the process that they are\nresponsible for the compliance of any beneficial holders participating through them. FSA also\ndoes not know the criteria for which guaranty agencies are holding lenders accountable. No\nchanges have been made to the recommendation.\n\nRecommendation 1.2\nDevelop procedures to verify and evaluate the adequacy of agreements between the guaranty\nagency and the lender before issuing an LID.\n\nFSA Comments\nFSA did not agree with this recommendation as written. FSA stated that under the regulations at\n34 CFR \xc2\xa7 682.401(b)(19),5 a guaranty agency is required to have a written agreement with each\nlender that participates in the loan program through that guaranty agency, and the Department\nhas the authority to review those agreements to ensure they exist. FSA stated that the\n\n5\n    There is a typographical error in both of FSA\xe2\x80\x99s references to this regulation in its comments.\n\x0cFinal Report\nED-OIG/I13H0006                                                                       Page 19 of 32\n\nregulations, however, do not have specific standards for those agreements, and therefore, FSA\nhas limited authority to regulate the adequacy of the agreements between the guaranty agency\nand lender beyond the existing statutory and regulatory requirements.\n\nOIG Response\nNo changes have been made to this recommendation. We recognize that FSA has limited\nregulatory authority over the agreements between guaranty agencies and lenders. To clarify,\nOIG did not recommend regulatory changes. FSA does, however, have the authority to review\nagreements to ensure that, at the least, guaranty agencies inform lenders of their responsibility to\nbe in compliance with the requirements of the HEA, regulations, and subregulatory guidance\nsuch as the NSLDS rules.\n\nThe HEA, regulations, and subregulatory guidance provide ample criteria for FSA to evaluate\nwhether the agreements between guaranty agencies and lenders are adequate to protect the\nfederal interest.\n\nFor example, the regulations at 34 C.F.R. \xc2\xa7 682.414(a)(4) specify that a guaranty agency require\na participating lender to maintain current, complete, and accurate records of each loan that it\nholds. The regulations at 34 C.F.R. \xc2\xa7 682.414(c)(2) specify that a guaranty agency require in its\nagreement with a lender, or in its published rules or procedures, that the lender or its agent give\nthe Secretary or the Secretary\xe2\x80\x99s designee and the guaranty agency access to the lender's records\nfor inspection and copying in order to verify the accuracy of the information provided by the\nlender pursuant to Sec. 682.401(b) (21) and (22), and the right of the lender to receive or retain\npayments made under this part, or to permit the Secretary or the agency to enforce any right\nacquired by the Secretary or the agency under this part. A review would ensure that the guaranty\nagency has included provisions to comply with these requirements. A review also provides FSA\nwith an opportunity to ensure that agreements do not contain inducements prohibited by\n\xc2\xa7 428(b)(3) of the HEA and 34 C.F.R. \xc2\xa7682.401(e).\n\nRecommendation 1.3\nDevelop procedures to verify and evaluate the adequacy of ELT agreements between the lender\nand the beneficial holder before issuing an LID.\n\nFSA Comments\nFSA did not fully concur with this recommendation. FSA stated that it has developed and\nimplemented revised procedures for reviewing ELT agreements between the lender and the\nbeneficial holder before issuing an LID. FSA stated that the revised procedures now require that\nFSA receive copies of the agreements, financial statements, financing plans, and co-signed\ndocuments acknowledging the working partnership between the entities. FSA added that with\nrespect to the evaluation of the adequacy of the ELT agreements, the regulations do not have\nspecific standards for those agreements, and therefore, FSA has limited authority to regulate the\nadequacy of the agreements between the lender and the beneficial holder.\n\nOIG Response\nNo changes have been made to this recommendation. We recognize that FSA has limited\nregulatory authority over the agreements between lenders and beneficial holders in an ELT\n\x0cFinal Report\nED-OIG/I13H0006                                                                                      Page 20 of 32\n\narrangement. OIG did not recommend regulatory changes. As noted above, however, FSA has\nthe authority to review agreements to ensure that lenders have informed beneficial holders that\nthey must be in compliance with any requirements of the HEA, regulations, and subregulatory\nguidance such as NSLDS rules. A review also provides FSA with an opportunity to ensure that\nagreements do not include inducements prohibited by \xc2\xa7 435(d)(5) of the HEA and 34 C.F.R. \xc2\xa7\n682.200.\n\nThe policies and procedures cited by FSA do not require the lender, guarantor, or the beneficial\nholder in an ELT arrangement to submit the agreement between the lender and the beneficial\nholder. FSA does not know the criteria for which lenders are holding beneficial holders\naccountable, although the regulations at 34 C.F.R. 682.203(b) specify that the lender in its\ncapacity as trustee assumes responsibility for compliance with all statutory and regulatory\nrequirements. FSA\xe2\x80\x99s Lender Assignment Procedures state, \xe2\x80\x9cIn all cases it should be stressed to\nthe lender that they bear a significant responsibility to \xe2\x80\x98know their client.\xe2\x80\x99\xe2\x80\x9d There is no mention\nin the procedures about informing lenders throughout the process that they are responsible for the\ncompliance of any beneficial holders participating through them.\n\nRecommendation 1.4\nObtain and verify current agreements between guaranty agencies and lenders and between\nlenders and beneficial holders in an ELT arrangement.\n\nFSA Comments\nFSA did not concur with OIG\xe2\x80\x99s recommendation as written. FSA stated that under the\nregulations at 34 C.F.R. \xc2\xa7 682.401(b)(19),6 a guaranty agency is required to have a written\nagreement with each lender that participates in the loan program through that guarantee agency,\nand the Department has the authority to review those agreements to ensure they exist. FSA\nstated that the regulations, however, do not have specific standards for those agreements, and\ntherefore, FSA has limited authority to regulate the adequacy of the agreements between the\nguaranty agency and lender beyond the existing statutory and regulatory requirements.\n\nOIG Response\nNo changes have been made to this recommendation. While recommendations 1.2 and 1.3 are\nforward looking and would require a process for new LID applicants, this recommendation\naddresses the lack of information FSA has on the agreements between guaranty agencies and\nlenders and between lenders and beneficial holders in an ELT agreement. As noted above, we\nrecognize that FSA has limited regulatory authority over the agreements between guaranty\nagencies and lenders and between lenders and beneficial holders in an ELT arrangement. Again,\nFSA has the authority to review agreements to ensure that guaranty agencies require compliance\nwith the HEA, regulations, and subregulatory guidance from lenders currently participating in\nthe FFEL program. FSA should do no less for the agreements between lenders and beneficial\nholders currently in an ELT arrangement.\n\n\n\n\n6\n    There is a typographical error in both of FSA\xe2\x80\x99s references to this regulation in its comments.\n\x0cFinal Report\nED-OIG/I13H0006                                                                    Page 21 of 32\n\nRecommendation 1.5\nClarify and strengthen guidance to Primary DPAs to ensure that their users understand and\ncomply with the rules for NSLDS.\n\nFSA Comments\nFSA did not disagree with this recommendation. FSA stated that in January 2008, procedures\nfor enrolling users for access to FSA systems through the SAIG enrollment process were\nclarified and strengthened. FSA stated that NSLDS, among other systems, utilizes this method\nto provide access to external partners. FSA also stated that DPA responsibilities and additional\nrequirements for the Primary DPA and CEO were strengthened and clarified. FSA stated that the\nsignature process was improved to ensure the CEO or proper designee is accountable for the\nusers\xe2\x80\x99 access. FSA also stated that the FSA user statement clarified information regarding the\nappropriate uses of FSA systems and the protection of Privacy Act information.\n\nOIG Response\nWe agree that the instructions to DPAs and users are stronger. We still recommend that FSA\nprovide additional guidance to DPAs, e.g., providing the DPA with examples of non-compliant\nactions and methods to identify potential problem users. No changes have been made to the\nrecommendation.\n\nRecommendation 1.6\nDevelop and implement control procedures, including edit checks, to monitor access to NSLDS\nand hold Primary DPAs accountable for unauthorized usage.\n\nFSA Comments\nFSA agreed to implement control procedures to monitor access to NSLDS. FSA disagreed with\nthe recommendation for holding the Primary DPAs accountable for unauthorized usage. FSA\nstated that it holds the CEO or designee accountable for the user\xe2\x80\x99s access, and, in accordance\nwith Dear Colleague Letter GEN-05-06/FP-05-04, holds the organization as well as individual\nusers responsible.\n\nFSA stated that reports will be made available for Primary DPAs to monitor the usage and\npotential access violations, and expected to have this completed by December 31, 2008. FSA\nadded that when the reports are available, it will send the Primary DPAs an email to let them\nknow that the reports are available and inform them that FSA expects them to use the reports to\nmonitor usage and potential access violations.\n\nOIG Response\nWe agree that the CEO or designee should be held accountable for the NSLDS users\xe2\x80\x99 access;\nhowever, the CEO or designee should not be the sole person responsible. Given the critical role\nassigned to the Primary DPA as the frontline administrator of a lender or guaranty agency\xe2\x80\x99s\naccess to NSLDS, the Primary DPA should also be held accountable for unauthorized usage.\nThe Primary DPA is responsible for determining who needs access to NSLDS and the type of\naccess required by each user. The Primary DPA enrolls users and verifies their duties. And, as\nstated in FSA\xe2\x80\x99s response, FSA expects the Primary DPA to monitor usage and potential access\nviolations. No changes have been made to the recommendation.\n\x0cFinal Report\nED-OIG/I13H0006                                                                     Page 22 of 32\n\n\nRecommendation 1.7\nDevelop a requirement for all users to certify that they have read and will comply with the rules\nand authorized uses of NSLDS and require external users to obtain application and computer\nsecurity training prior to initial logon.\n\nFSA Comments\nFSA agreed with this recommendation. FSA stated that by December 2008, NSLDS will\ndevelop a certification page with the rules and authorized uses of NSLDS that users will have to\naccept at logon to begin to access the NSLDS website. FSA stated that this certification page\nwill also provide a computer security training download component: The user will certify that\nthey read, understood and agreed to the application and security training.\n\nOIG Response\nNo changes have been made to this recommendation.\n\nRecommendation 1.8\nStrengthen the requirements of the Primary DPAs to ensure that policies and procedures are in\nplace to assure that new users understand the sensitive nature of NSLDS and the penalties for\nmisuse of the system.\n\nFSA Comments\nFSA agreed with this recommendation. FSA stated that in January 2008, it implemented new\nprocedures that require the Primary DPA to be responsible for obtaining and storing a signed\nUser Responsibility Statement for each user that registers for access to FSA systems via the\nSAIG enrollment process. FSA added that NSLDS now directs all new NSLDS User IDs to the\nPrimary DPA who is responsible for delivery of the User ID and the NSLDS Rules of Behavior\nto each new user.\n\nOIG Response\nFSA\xe2\x80\x99s comments satisfied the intent of our recommendation, although we have not evaluated the\neffectiveness of FSA\xe2\x80\x99s procedures. We have removed this recommendation and renumbered\nRecommendation 1.9.\n\nRecommendation 1.9\nRequire external entities to report all internal control weaknesses over NSLDS access to FSA.\nFSA should evaluate the weaknesses and take the appropriate action to safeguard the system.\n\nFSA Comments\nFSA agreed with this recommendation. FSA stated it will provide language to OIG to include\nthis step in the A-133 Lender/Servicer Audit Guides.\n\nOIG Response\nNo changes have been made to this recommendation. In developing its corrective action, we\nsuggest that FSA ensure that requirements for all entity compliance audits are included; these\nentities include lenders, lender servicers, guaranty agencies, and guaranty agency servicers.\n\x0cFinal Report\nED-OIG/I13H0006                                                                      Page 23 of 32\n\n\nRecommendation 2.1\nDevelop and implement a process to confirm that lenders, lender servicers, and ELTs have an\nongoing business relationship with the borrower before the borrower\xe2\x80\x99s record is accessed.\n\nFSA Comments\nFSA disagreed with this recommendation. FSA stated that the relationship with the borrower\nbegins with the loan application and/or guaranty process. FSA added that lenders and servicers\nneed to view data on NSLDS to determine eligibility of a loan or provide proper servicing of\nFFEL loans to a borrower.\n\nFSA proposed developing a monitoring tool to identify instances of borrower access where no\nrelationship exists or was recently established after records were accessed. FSA stated it will\nthen contact the institution to request additional information and to determine appropriate next\nsteps. FSA anticipates having this tool in place by December 2008.\n\nOIG Response\nWe agree that a lender\xe2\x80\x99s relationship with the borrower begins with the loan application process.\nWe have changed the terminology in the report to refer to external entities having a\n\xe2\x80\x9csubstantially established business relationship\xe2\x80\x9d with the borrower. FSA should ensure that\nlenders, lender servicers, and ELTs have a substantially established business relationship with\nthe borrower before the borrower\xe2\x80\x99s record is accessed. FSA should require lenders, lender\nservicers, and ELTs to confirm that they have a substantially established business relationship\nwith the borrower before the borrower\xe2\x80\x99s record is accessed. FSA should require entities to\nconfirm that they are either making a new loan, servicing an existing loan, or consolidating a\nborrower\xe2\x80\x99s loans. For both consolidating and non-consolidating lenders, FSA should require the\nlender to report the application date when they established the business relationship with the\nborrower. We have modified our original recommendation.\n\nRecommendation 2.2\nModify NSLDS to allow only the loan holding lender and its servicer to view the borrower\xe2\x80\x99s\nsummary default view and only those loans that the borrower holds with the individual lender.\n\nFSA Comments\nFSA disagreed with this recommendation. FSA stated that lenders and servicers rely on data in\nNSLDS to grant deferments and forbearances, consolidate loans, and provide customer service to\nborrowers and schools. FSA stated that by providing only limited information, the lender will\nnot see loan statuses of deferment or forbearance on loans they do not hold. FSA added that they\nwill also not be able to determine the validity of Loan Verification Certificates or consolidation\nloan applications. FSA recommended that NSLDS create a monitoring tool to identify instances\nof borrower access where no relationship exists or was recently established after records were\naccessed.\n\nOIG Response\nAs a result of our revised Recommendation 2.1, we have removed this recommendation and\nrenumbered the Finding 2 recommendations.\n\x0cFinal Report\nED-OIG/I13H0006                                                                       Page 24 of 32\n\n\nRecommendation 2.3\nProvide a borrower or prospective borrower the ability to authorize NSLDS to provide one\nlender access to his or her records for consolidation and counseling purposes for a limited\namount of time.\n\nFSA Comments\nFSA disagreed with this recommendation. FSA stated that it is acceptable for a lender to access\na record on NSLDS once it has received a substantially complete, signed consolidation loan\napplication, and that the loan application signed by the borrower gives the lender permission to\naccess his/her records. FSA stated that requiring the borrower to authorize access to NSLDS for\none lender to view NSLDS negates the permission already provided by the loan application and\nplaces an additional burden on the borrower.\n\nOIG Response\nThe purpose of our recommendation was to ensure that borrowers had granted permission to\nconsolidating lenders before allowing access to their NSLDS record. We recognize that a\nsubstantially complete, signed application can provide this permission. As such, FSA should\nrequire both consolidating and non-consolidating lenders to maintain signed applications that\ndocument the business relationship. We have modified the original recommendation to reflect\nthat a substantially complete and signed application provides authorization and there is a need to\npreserve documentation of the authorization. This recommendation is now the last\nrecommendation of Finding 2.\n\nRecommendation 2.4\nRequire a lender to report the date of the signed consolidation application during the initial\nrequest for access to a borrower\xe2\x80\x99s record for which it does not hold any or all of the loans.\n\nFSA Comments\nFSA agreed with this recommendation. FSA stated that NSLDS will create a method to collect\nthe date of the signed application on the NSLDS website during the initial request to access a\nborrower\xe2\x80\x99s records when it is indicated that access is required for consolidation purposes.\n\nOIG Response\nAs noted above, we recommend that FSA require both consolidating and non-consolidating\nlenders maintain signed applications establishing the business relationship that allows access to\nNSLDS. We have updated this recommendation to include this requirement for non-\nconsolidating lenders. The recommendation has been renumbered as 2.2.\n\x0cFinal Report\nED-OIG/I13H0006                                                                     Page 25 of 32\n\n\n\n                 OBJECTIVES, SCOPE, AND METHODOLOGY\n\n\nThe objectives for this inspection were to:\n\n   1. Evaluate FSA\xe2\x80\x99s process for granting NSLDS IDs and passwords to external users except\n      for schools and borrowers, and\n   2. Determine whether the extent of access FSA provides these external users is appropriate.\n\nWe began our fieldwork on July 3, 2007, and conducted an exit conference on December 4,\n2007. We reviewed the HEA, applicable regulations, GAO Standards for Internal Control in\nthe Federal Government, and OMB Circular No. A-130, Appendix III, Security of Federal\nAutomated Information Resources. We also reviewed the documentation provided by FSA\nincluding the SAIG Enrollment Forms, Department of Education User Participation Request\nForm, NSLDS System Security Plan, Electronic Announcements regarding Access to NSLDS,\nProcedures and Framework for Restoring NSLDS Access, Reinstatement Updates, Central\nProcessing System (CPS) Participation Management NSLDS Application Updates, Instructions\nfor NSLDS Users, and the reinstatement materials provided to guaranty agencies, lenders, and\nstate grant agencies.\n\nWe interviewed FSA staff from the following offices: NSLDS, Business Operations, Chief\nFinancial Officer, Participation Management, Ombudsman, Student Credit and Management,\nPolicy Liaison and Implementation, Communication and Management Services, and the Office\nof Program Compliance. We also interviewed Department staff from the Office of the General\nCounsel and the Office of Postsecondary Education.\n\nTo evaluate FSA\xe2\x80\x99s process for granting NSLDS IDs and passwords to external users except for\nschools and borrowers, we met with FSA staff to determine how lenders, guaranty agencies, state\nagencies, and lenders servicers were classified as eligible external users and how these users\napplied for NSLDS access.\n\nTo determine whether the extent of access FSA provides these external users is appropriate, we\ndetermined the information that each entity can access and conducted interviews to establish the\ntype of information needed by each external entity to perform their designated FFEL Program\nfunctions.\n\nOur inspection was performed in accordance with the 2005 President\xe2\x80\x99s Council on Integrity and\nEfficiency Quality Standards for Inspections appropriate to the scope of the inspection described\nabove.\n\x0cFinal Report\nED-OIG/I13H0006   Page 26 of 32\n\x0cFinal Report\nED-OIG/I13H0006   Page 27 of 32\n\x0cFinal Report\nED-OIG/I13H0006   Page 28 of 32\n\x0cFinal Report\nED-OIG/I13H0006   Page 29 of 32\n\x0cFinal Report\nED-OIG/I13H0006   Page 30 of 32\n\x0cFinal Report\nED-OIG/I13H0006   Page 31 of 32\n\x0cFinal Report\nED-OIG/I13H0006   Page 32 of 32\n\x0c"